hello, some questions
on ossec agent machine what is difference between
1. /var/ossec/logs/active-responses.log
2. /var/ossec/active-response/ossec-hids-responses.log
I've a few local rules like this which I hope do what the description
says. (ossec is set to email 7+ and active-response rules are 6+)
<rule id="100104" level="6" frequency="10" timeframe="160">
<if_sid>5551</if_sid>
<description>Make Mutiple failed logins not send email but still do
active response</description>
</rule>
Originally it started like <rule id="100104" level="6"> but that seemed
to active response people after 1 failed login. So, it seems that
"overloading" rules like this parameters like frequency and timeframe
are not inherited. Is that correct? Is there a better solution to what
I'm trying to do?
thanks,
norm
